MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b89a4e530394910333e48f5aec879e916a15034635e03927a3dd00c5eef5a189. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b89a4e530394910333e48f5aec879e916a15034635e03927a3dd00c5eef5a189
SHA3-384 hash: d3bd90e2621e0c6f3bf2b687b94903eec9f489582eccac99acbb8899bf307441c61284b993f0fe46c97980f8a4035681
SHA1 hash: e3b61f6a0d1ed40ae93e857c35b03248c08682d4
MD5 hash: 1b9ef6a2c96efb0f06dbac005879ad68
humanhash: edward-iowa-washington-mexico
File name:1b9ef6a2c96efb0f06dbac005879ad68.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:146'432 bytes
First seen:2022-08-11 19:21:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 319fe90009d9ce0aa4e432b3b8307a17 (7 x Gh0stRAT)
ssdeep 3072:cm2t+PdK2H+htUUjGBtbOmIEy39KPGfbV89VehwDVFmUqQoh5eb:cmpVKd7kcuy3QepeoWykb
TLSH T178E32371902B8DA2E1279AB22F063D0EFC5272C5341415711BA6261BF30FBE9D5BE8A1
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:exe Gh0stRAT


Avatar
abuse_ch
Gh0stRAT C2:
58.138.234.82:9065

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
58.138.234.82:9065 https://threatfox.abuse.ch/ioc/842568/

Intelligence

File Origin
# of uploads :
1
# of downloads :
397
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1b9ef6a2c96efb0f06dbac005879ad68.exe
Verdict:
Suspicious activity
Analysis date:
2022-08-11 19:21:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8218b77e-8292-49da-8f30-21660cd13b86

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298088/
Detection(s):
Win.Trojan.Farfli-9753454-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Сreating synchronization primitives
Creating a service
Creating a file in the Program Files subdirectories
Launching a service
Sending a custom TCP request
Enabling autorun for a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed pcclient
Link:
https://www.filescan.io/uploads/62f556dc810e2831b73a2a54/reports/4d934b01-e3fd-461e-9a1d-9d19812f3706/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Barys
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/477170c3-6ea8-4363-914b-5cd9e4d1a72a
Result
Threat name:
GhostRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1050211
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected GhostRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 682717 Sample: ym1VQYNUNJ.exe Startdate: 11/08/2022 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Antivirus detection for dropped file 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 6 other signatures 2->41 6 svchost.exe 2 2->6         started        9 ym1VQYNUNJ.exe 2 7 2->9         started        13 svchost.exe 2->13         started        15 12 other processes 2->15 process3 dnsIp4 49 Found stalling execution ending in API Sleep call 6->49 51 Deletes itself after installation 6->51 53 Contains functionality to detect sleep reduction / modifications 6->53 17 rundll32.exe 6->17         started        31 192.168.2.1 unknown unknown 9->31 25 C:\map3013000.dll, PE32 9->25 dropped 27 C:\Program Files (x86)\Uqrs\Aqrstuvwx.bmp, PE32 9->27 dropped 55 Detected unpacking (changes PE section rights) 9->55 57 Changes security center settings (notifications, updates, antivirus, firewall) 13->57 21 MpCmdRun.exe 1 13->21         started        33 127.0.0.1 unknown unknown 15->33 59 Query firmware table information (likely to detect VMs) 15->59 61 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->61 23 conhost.exe 15->23         started        file5 signatures6 process7 dnsIp8 29 58.138.234.82, 49738, 49822, 49823 VTOPIA-AS-KRVTOPIAKR Korea Republic of 17->29 43 System process connects to network (likely due to code injection or exploit) 17->43 45 Found stalling execution ending in API Sleep call 17->45 47 Contains functionality to detect sleep reduction / modifications 17->47 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b89a4e530394910333e48f5aec879e916a15034635e03927a3dd00c5eef5a189/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2022-08-09 16:15:22 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
24 of 25 (96.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xcne4uydssiqgm7er5nozb46sfvbka2ggxqdsj5d3uaml3xvugeq._file
Verdict:
malicious
Result
Malware family:
gh0strat
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat rat
Link:
https://tria.ge/reports/220811-x2nnbadfb9/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in System32 directory
Deletes itself
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Gh0st RAT payload
Gh0strat
Unpacked files
SH256 hash:
db9e1fc2b579cda06a22a30536a865c14cb141ef2927550264d1ebe5f9e88092
MD5 hash:
fd5462e79dd379f11d838b11fb502b5c
SHA1 hash:
d7a8293460974e757af9e4ee12de3cf1c1306f14
Link:
https://www.unpac.me/results/ad4de494-a7a7-465b-b723-1f26975f1152/
SH256 hash:
d130a100098d62e6e7cc4a33aa0799c4e94d17cbfeb8e86cf58f6e8eaa920b8d
MD5 hash:
4c0f9c811c7c8368fee1455c3e1d7599
SHA1 hash:
1d8e524360a226942a7c2be33d74e0adb604bbc1
Link:
https://www.unpac.me/results/ad4de494-a7a7-465b-b723-1f26975f1152/
SH256 hash:
b89a4e530394910333e48f5aec879e916a15034635e03927a3dd00c5eef5a189
MD5 hash:
1b9ef6a2c96efb0f06dbac005879ad68
SHA1 hash:
e3b61f6a0d1ed40ae93e857c35b03248c08682d4
Link:
https://www.unpac.me/results/ad4de494-a7a7-465b-b723-1f26975f1152/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b89a4e530394/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
PcClient
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b89a4e530394910333e48f5aec879e916a15034635e03927a3dd00c5eef5a189

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/298088/

Comments